162899 – (CVE-2002-1903) CVE-2002-1903 pine username disclosure issue

Bug 162899 (CVE-2002-1903) - CVE-2002-1903 pine username disclosure issue

Summary: CVE-2002-1903 pine username disclosure issue

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2002-1903
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-07-11 15:19 UTC by Josh Bressers
Modified:	2021-11-12 19:17 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-03-09 08:58:46 UTC
Embargoed:

Attachments	(Terms of Use)

Description Josh Bressers 2005-07-11 15:19:41 UTC

This text is taken from here:
http://archives.neohapsis.com/archives/bugtraq/2002-06/0053.html
From: Roger Marquis

    The Pine email client allows users to define the "From:"
    address independent of their Unix username. This is an
    indispensable feature for help desks and other role accounts.

    Unfortunately, user names and/or ids can still be leaked due to
    Pine's insertion of "Sender:" and/or "X-Sender:" headers. Pine
    versions earlier than 4.44 may also insert the Unix username
    into other envelope and header fields. 


That message also contains a patch for this issue.

Comment 2 Mark J. Cox 2007-07-20 12:02:53 UTC

This is a debatable security issue, it's the way many mailers worked, it was
documented behaviour, and is of minimal security consequence.  It's not worth
issuing a security update for RHEL2.1 to correct this issue.  wontfix.

Note You need to log in before you can comment on or make changes to this bug.